MANILA – As quarantine protocols relax and businesses begin to open their doors to consumers, the National Privacy Commission (NPC) reminded proprietors that the information they collect from their customers must follow data privacy laws.
The NPC’s reminder, issued in a bulletin released on Wednesday, came following the Department of Trade and Industry’s (DTI) release of Memorandum Circular (MC) 20-37, s. 2020 or the Guidelines to Follow on Minimum Health Protocols for Dine-In Restaurants and Fastfood Establishments, and MC 20-28, s. 2020 or the Guidelines to Follow on Minimum Health Protocols for Barbershops and Salons.
To help ensure that the data collected conforms with government policies, the NPC said business may adopt sample forms issued by government agencies “but should not collect beyond what is required and necessary.”
“Establishments should ensure that the processing of personal data is proportional to the purpose of contact tracing. Collect only such information as required under existing government issuances,” the NPC said.
For transparency, it said businesses must inform their customers and visitors of the collection of their personal data and the reasons why it is necessary.
It recommended the posting of a privacy notice within business premises such as at the entrance or other visible areas.
“If the establishment opts to use electronic means, the notice must be posted in the platform prior to collection,” the NPC said.
The data collected through health checklists or other similar forms, it said, must also only be used for contact-tracing measures and said that using the personal data of customers or visitors for any other purposes is “punishable under the Data Privacy Act of 2012.”
“Repurposing the use of data other than contact tracing and storing data for speculative use is not allowed,” the NPC said.
Once information is collected, it said establishments are obligated to ensure the security of this data through “reasonable and appropriate safeguards.”
These safeguards, which could be composed of organizational, physical, and/or technical security measures, it said, must protect customers and visitors against any accidental or unlawful processing, alteration, disclosure, and destruction.
To ensure that data collected would not be used for more than contact tracing, it said businesses must also only keep personal data for a limited period as allowed by existing government guidelines.
“After which, all personal data should be disposed of in a secure manner that would prevent further processing and/or unauthorized access or disclosure,” the NPC said. (PNA)
